This document describes the configuration of a local Extensible
Authentication Protocol (EAP) server in a Cisco Wireless LAN Controller (WLC)
for the authentication of wireless users.

Local EAP is an authentication method that allows users and wireless
clients to be authenticated locally. It is designed for use in remote offices
that want to maintain connectivity to wireless clients when the back-end system
becomes disrupted or the external authentication server goes down. When you
enable local EAP, the controller serves as the authentication server and the
local user database, thereby removing dependence on an external authentication
server. Local EAP retrieves user credentials from the local user database or
the Lightweight Directory Access Protocol (LDAP) back-end database to
authenticate users. Local EAP supports Lightweight EAP (LEAP), EAP-Flexible
Authentication via Secure Tunneling (EAP-FAST), and EAP-Transport Layer
Security (EAP-TLS) authentication between the controller and wireless
clients.

Note that the local EAP server is not available if there is a global
external RADIUS server configuration in the WLC. All authentication requests
are forwarded to the global external RADIUS until the Local EAP Server is
available. If the WLC looses connectivity to the external RADIUS server, then
the local EAP server becomes active. If there is no global RADIUS server
configuration, the local EAP server becomes immediately active. The local EAP
server cannot be used to authenticate clients, which are connected to other
WLCs. In other words, one WLC cannot forward its EAP request to another WLC for
authentication. Every WLC should have its own local EAP server and individual
database.

Note: Use these commands in order to stop WLC from sending requests to an
external radius server .

From the GUI, choose Security > Local EAP >
Authentication Priority. Then select LDAP, click the
"<" button and click Apply. This puts the
user credentials in the local database first.

From the CLI:

(Cisco Controller) >config local-auth user-credentials local

Add an EAP profile:

In order to do this from the GUI, choose Security >
Local EAP > Profiles and click New. When the new
window appears, type the Profile Name and click
Apply.

You can also do this using the CLI command config
local-auth eap-profile add
<profile-name>. In our example, the
profile name is EAP-test.

(Cisco Controller) >config local-auth eap-profile add EAP-test

Add a method to the EAP profile.

From the GUI choose Security > Local EAP >
Profiles and click on the profile name for which you want to add
the authentication methods. This example uses LEAP, EAP-FAST, and EAP-TLS.
Click Apply in order to set the
methods.

You can also use the CLI command config local-auth
eap-profile method add <method-name><profile-name>. In our example
configuration we add three methods to the profile EAP-test. The methods are
LEAP, EAP-FAST, and EAP-TLS whose method names are leap,
fast, and tls respectively. This output shows
the CLI configuration commands:

From the GUI choose WLANs on the top menu and
select the WLAN for which you want to configure local authentication. A new
window appears. Click the Security > AAA tabs.
Check Local EAPauthentication and select the
right EAP Profile Name from the pull-down menu as this example
shows:

You can also issue the CLI config wlan local-auth
enable <profile-name><wlan-id> configuration command as
shown here:

(Cisco Controller) >config wlan local-auth enable EAP-test 1

Set the Layer 2 Security parameters.

From the GUI interface, in the WLAN Edit window go to the
Security > Layer 2 tabs and chose WPA+WPA2
from the Layer 2 Security pull-down menu. Under the WPA+WPA2 Parameters
section, set the WPA Encryption to TKIP and WPA2 Encryption
AES. Then click
Apply.

There are other local authentication parameters that can be
configured, in particular the active timeout timer. This timer configures the
period during which local EAP is used after all RADIUS servers have
failed.

From the GUI, choose Security > Local EAP >
General and set the time value. Then click Apply.

If you need to generate and load the manual PAC, you can use either
the GUI or the CLI.

From the GUI, select COMMANDS from the top menu
and chose Upload File from the list in the right-hand side.
Select PAC (Protected Access Credential) from the File Type
pull-down menu. Enter all the parameters and click on Upload.

In order to use EAP-FAST version 2 and EAP-TLS authentication, the WLC
and all the client devices must have a valid certificate and must also know the
public certificate of the Certification Authority.

Note that in the example shown in this document, the Access Control
Server (ACS) is installed on the same host as the Microsoft Active Directory
and Microsoft Certification Authority, but the configuration should be the same
if the ACS server is on a different server.

The client must obtain a root CA Certificate from a Certification
Authority server. There are several methods you can use to obtain a client
certificate and install it on the Windows XP machine. In order to acquire a
valid certificate, the Windows XP user has to be logged in using their user ID
and must have a network connection.

A web browser on the Windows XP client and a wired connection to the
network were used to obtain a client certificate from the private root
Certification Authority server. This procedure is used to obtain the client
certificate from a Microsoft Certification Authority server:

Use a web browser on the client and point the browser to the
Certification Authority server. In order to do this, enter
http://IP-address-of-Root-CA/certsrv.

Log in using Domain_Name\user_name. You must log
in using the username of the individual who is to use the XP
client.

On the Welcome window, choose Retrieve a CA
certificate and click Next.

Select Base64 Encoding and Download CA
certificate.

On the Certificate Issued window, click Install this
certificate and click Next.

The client must obtain a certificate from a Certification Authority
server for the WLC to authenticate a WLAN EAP-TLS client. There are several
methods that you can use in order to obtain a client certificate and install it
on the Windows XP machine. In order to acquire a valid certificate, the Windows
XP user has to be logged in using their user ID and must have a network
connection (either a wired connection or a WLAN connection with 802.1x security
disabled).

A web browser on the Windows XP client and a wired connection to the
network are used to obtain a client certificate from the private root
Certification Authority server. This procedure is used to obtain the client
certificate from a Microsoft Certification Authority server:

Use a web browser on the client and point the browser to the
Certification Authority server. In order to do this, enter
http://IP-address-of-Root-CA/certsrv.

Log in using Domain_Name\user_name. You must log
in using the username of the individual who uses the XP client. (The username
gets embedded into the client certificate.)

On the Welcome window, choose Request a
certificate and click Next.

Choose Advanced request and click
Next.

Choose Submit a certificate request to this CA using a
form and click Next.

On the Advanced Certificate Request form, choose the Certificate
Template as User, specify the Key Size as
1024 and click Submit.

On the Certificate Issued window, click Install this
certificate. This results in the successful installation of a client
certificate on the Windows XP client.

Select Client Authentication
Certificate.

The client certificate is now created.

In order to check that the certificate is installed, go to Internet
Explorer and choose Tools > Internet Options > Content >
Certificates. In the Personal tab, you should see the
certificate.

The WLC, by default, broadcasts the SSID, so it is shown in the
Create Networks list of scanned SSIDs. In order to create a Network Profile,
you can click the SSID in the list (Enterprise) and click Create
Network.

If the WLAN infrastructure is configured with broadcast SSID
disabled, you must manually add the SSID. In order to do this, click
Add under Access Devices and manually enter the appropriate
SSID (for example, Enterprise). Configure active probe behavior for the client.
That is, where the client actively probes for its configured SSID. Specify
Actively search for this access device after you enter the
SSID on the Add Access Device window.

Note: The port settings do not permit enterprise modes (802.1X) if the
EAP authentication settings are not first configured for the profile.

Click Create Network in order to launch the
Network Profile window, which permits you to associate the chosen (or
configured) SSID with an authentication mechanism. Assign a descriptive name
for the profile.

Turn on authentication and check the EAP-TLS method. Then click
Configure in order to configure EAP-TLS
properties.

Under Network Configuration Summary, click Modify
in order to configure the EAP / credentials settings.

Specify Turn On Authentication, choose
EAP-TLS under Protocol, and choose Username
as the Identity.

Specify Use Single Sign on Credentials to use log
on credentials for network authentication. Click Configure to
set up EAP-TLS parameters.

In order to have a secured EAP-TLS configuration you need to check
the RADIUS server certificate. In order to do this, check Validate
Server Certificate.

In order to validate the RADIUS server certificate, you need to
give Cisco Secure Services Client information in order to accept only the right
certificate. Choose Client > Trusted Servers > Manage Current
User Trusted Servers.

Give a name for the rule and check the name of the server
certificate.

The EAP-TLS configuration is finished.

Connect to the Wireless network profile. The Cisco Secure Services
Client asks for the user login:

The Cisco Secure Services Client receives the server certificate
and checks it (with the rule configured and the Certification Authority
installed). It then asks for the certificate to use for the user.

After the client authenticates, choose SSID under
the Profile in the Manage Networks tab and click Status to
query connection details.

The Connection Details window provides information on the client
device, connection status and statistics, and authentication method. The WiFi
Details tab provides details on the 802.11 connection status, which includes
the RSSI, 802.11 channel, and
authentication/encryption.